Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat Enterprise Linux 8: Important Security Update for IcedTea-Web

red hat
Calendar Grey July 31, 2019
Dist Redhat Esm H88
Crucial notification regarding icedtea-web on Red Hat Enterprise Linux 8, focusing on vulnerabilities and essential recommendations.
An update for icedtea-web is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect.

Summary

The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.
Security Fix(es):
* icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182)
* icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185)
* icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat file overwrite important path traversal icedtea-web unsigned code injection

References

https://access.redhat.com/security/cve/CVE-2019-10181 https://access.redhat.com/security/cve/CVE-2019-10182 https://access.redhat.com/security/cve/CVE-2019-10185 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: icedtea-web-1.7.1-17.el8_0.src.rpm
noarch: icedtea-web-1.7.1-17.el8_0.noarch.rpm icedtea-web-javadoc-1.7.1-17.el8_0.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2019:2004-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2004
Issue date: 2019-07-31

Topic

An update for icedtea-web is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat file overwrite important path traversal icedtea-web unsigned code injection

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - noarch

Bugs Fixed

1724958 - CVE-2019-10182 icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite

1724989 - CVE-2019-10185 icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite

1725928 - CVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here